In its latest effort to address security concerns about Internet of Things (IoT) devices, the Federal Trade Commission (FTC) has submitted public comments to the National Telecommunications and Information Administration's (NTIA) Working Group on Communicating Upgradability and Improving Transparency.

Although the FTC stated that its comments are not intended to provide a "template for FTC law enforcement," it did articulate its expectation that manufacturers consider its comments in addition to any final guidance issued by the NTIA.

The working group was tasked with developing guidelines for manufacturers on providing disclosures related to potential security vulnerabilities in IoT devices or applications. The FTC said its comments—submitted on June 19, 2017—are intended to ensure that any guidance released by the working group reflects the FTC's experience with IoT devices and also with consumers' perceptions on disclosures.

The NTIA stated that addressing potential security vulnerabilities in IoT devices or applications through patching and security upgrades is an area of concern and will require a set of common definitions so that consumers understand what they are getting. To that end, the NTIA announced last September that it would hold meetings of a multi-stakeholder process concerning IoT Security Upgradability and Patching. The goal would be to develop a broad, shared set of definitions around security upgradability for consumer IoT, as well as strategies for communicating the security features of IoT devices to consumers.

The NTIA requested comments on a draft of its guidance "Communicating IoT Device Security Update Capability to Improve Transparency for Consumers," published in April 2017. The guidance lists “key elements” that manufacturers should consider communicating to consumers prior to purchase:

• Whether a device can receive security updates
• The anticipated timeline for the end of security update support.

The guidance also lists "additional elements" that manufacturers should consider communicating to consumers before or after purchase:

• A description of how users are notified about security updates
• A description of what happens when the device no longer receives security update support
• A description of how the manufacturer secures updates or how the process is reasonably secure.

The FTC offered a number of suggestions to the draft guidance. In response to the "key elements" that manufacturers communicate before purchase, it proposed that manufacturers:

• Disclose a guaranteed minimum security support period rather than an "anticipated timeline for support"
• Clarify when the support clock starts, such as the date of purchase or date of initial market release
• Disclose if a "smart" device will stop functioning or become highly vulnerable when security support ends

For the "additional elements" manufacturers should communicate before or after purchase, the FTC proposed that manufacturers consider:

• Adopting a uniform notification method
• Enabling consumers to sign up and provide contact information at the point of sale or after for affirmative notifications about security support
• Providing real-time notification when support is about to end

The FTC’s recommendations are important because, even if NTIA does not adopt them, the FTC has stated that it still expects manufacturers to consider them.